首页 > 其他分享 >初识 TShark

初识 TShark

时间:2023-09-07 19:31:50浏览次数:34  
标签:TShark -- list 初识 filter NUM file output

TShark作为wireshark的命令行工具。

TShark 是一个网络协议分析器。可以进行实时网络捕获数据包数据,或从以前保存的捕获文档中读取数据包,将这些数据包的解码形式打印到标准输出或将数据包写入文档。TShark的原生捕获文档格式是pcapng格式,这也是Wireshark和其他各种工具使用的格式。

如果不设置任何选项,Tshark 将像 tcpdump 一样使用 pcap 库从第一个可用网络接口捕获流量,并在标准输出上为每个接收的数据包显示摘要行。

TShark 捕获网络流量,通过-i选项参数指定网卡

cd “D:\Program Files\Wireshark”
.\tshark.exe -i "以太网 4" -w c:\20230101_.pcapng 

Ctrl+C 结束抓包

初识 TShark_windows

TShark 捕获网络流量,通过-i选项参数指定网卡

.\tshark.exe -i "以太网 4" -T fields -e tcp -w c:\20230101_01.pcapng

初识 TShark_windows_02

TShark 捕获网络流量,通过-f选项过滤网络流量

.\tshark.exe -i "以太网 4" -f "host 172.20.10.3" -w c:\20230101_01.pcapng

初识 TShark_wireshark_03

初识 TShark_wireshark_04

TShark 程序在 WireShark 安装目录下,输入帮助命令。获取帮助信息:

D:\Program Files\Wireshark>tshark.exe --help
TShark (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] ...

Capture interface:
  -i <interface>, --interface <interface>
                           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>, --snapshot-length <snaplen>
                           packet snapshot length (def: appropriate maximum)
  -p, --no-promiscuous-mode
                           don't capture in promiscuous mode
  -I, --monitor-mode       capture in monitor mode, if available
  -B <buffer size>, --buffer-size <buffer size>
                           size of kernel buffer (def: 2MB)
  -y <link type>, --linktype <link type>
                           link layer type (def: first appropriate)
  --time-stamp-type <type> timestamp method for interface
  -D, --list-interfaces    print list of interfaces and exit
  -L, --list-data-link-types
                           print list of link-layer types of iface and exit
  --list-time-stamp-types  print list of timestamp types for iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ..., --autostop <autostop cond.> ...
                           duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
                            packets:NUM - stop after NUM packets
Capture output:
  -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
                           duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
                            packets:NUM - switch to next file after NUM packets
                           interval:NUM - switch to next file when the time is
                                          an exact multiple of NUM secs
RPCAP options:
  -A <user>:<password>     use RPCAP password authentication
Input file:
  -r <infile>, --read-file <infile>
                           set the filename to read from (or '-' for stdin)

Processing:
  -2                       perform a two-pass analysis
  -M <packet count>        perform session auto reset
  -R <read filter>, --read-filter <read filter>
                           packet Read filter in Wireshark display filter syntax
                           (requires -2)
  -Y <display filter>, --display-filter <display filter>
                           packet displaY filter in Wireshark display filter
                           syntax
  -n                       disable all name resolutions (def: "mNd" enabled, or
                           as set in preferences)
  -N <name resolve flags>  enable specific name resolution(s): "mnNtdv"
  -d <layer_type>==<selector>,<decode_as_protocol> ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http
  -H <hosts file>          read a list of entries from a hosts file, which will
                           then be written to a capture file. (Implies -W n)
  --enable-protocol <proto_name>
                           enable dissection of proto_name
  --disable-protocol <proto_name>
                           disable dissection of proto_name
  --enable-heuristic <short_name>
                           enable dissection of heuristic protocol
  --disable-heuristic <short_name>
                           disable dissection of heuristic protocol
Output:
  -w <outfile|->           write packets to a pcapng-format file named "outfile"
                           (or '-' for stdout)
  --capture-comment <comment>
                           add a capture file comment, if supported
  -C <config profile>      start with specified configuration profile
  -F <output file type>    set the output file type, default is pcapng
                           an empty "-F" option will list the file types
  -V                       add output of packet tree        (Packet Details)
  -O <protocols>           Only show packet details of these protocols, comma
                           separated
  -P, --print              print packet summary even when writing to a file
  -S <separator>           the line separator to print between packets
  -x                       add output of hex and ASCII dump (Packet Bytes)
  --hexdump <hexoption>    add hexdump, set options for data source and ASCII dump
     all                   dump all data sources (-x default)
     frames                dump only frame data source
     ascii                 include ASCII dump text (-x default)
     delimit               delimit ASCII dump text with '|' characters
     noascii               exclude ASCII dump text
     help                  display help for --hexdump and exit
  -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)
  -j <protocolfilter>      protocols layers filter if -T ek|pdml|json selected
                           (e.g. "ip ip.flags text", filter does not expand child
                           nodes, unless child is specified also in the filter)
  -J <protocolfilter>      top level protocol filter if -T ek|pdml|json selected
                           (e.g. "http tcp", filter which expands all child nodes)
  -e <field>               field to print if -Tfields selected (e.g. tcp.port,
                           _ws.col.Info)
                           this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     bom=y|n               print a UTF-8 BOM
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values
  -t a|ad|adoy|d|dd|e|r|u|ud|udoy
                           output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -l                       flush standard output after each packet
  -q                       be more quiet on stdout (e.g. when using statistics)
  -Q                       only log true errors to stderr (quieter than -q)
  -g                       enable group read access on the output file(s)
  -W n                     Save extra information in the file, if supported.
                           n = write network address resolution information
  -X <key>:<value>         eXtension options, see the man page for details
  -U tap_name              PDUs export mode, see the man page for details
  -z <statistics>          various statistics, see the man page for details
  --export-objects <protocol>,<destdir>
                           save exported objects for a protocol to a directory
                           named "destdir"
  --export-tls-session-keys <keyfile>
                           export TLS Session Keys to a file named "keyfile"
  --color                  color output text similarly to the Wireshark GUI,
                           requires a terminal with 24-bit color support
                           Also supplies color attributes to pdml and psml formats
                           (Note that attributes are nonstandard)
  --no-duplicate-keys      If -T json is specified, merge duplicate keys in an object
                           into a single key with as value a json array containing all
                           values
  --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the
                           specified protocols within the mapping file
  --temp-dir <directory>   write temporary files to this directory
                           (default: C:\Users\jiahe\AppData\Local\Temp)

Diagnostic output:
  --log-level <level>      sets the active log level ("critical", "warning", etc.)
  --log-fatal <level>      sets level to abort the program ("critical" or "warning")
  --log-domains <[!]list>  comma separated list of the active log domains
  --log-debug <[!]list>    comma separated list of domains with "debug" level
  --log-noisy <[!]list>    comma separated list of domains with "noisy" level
  --log-file <path>        file to output messages to (in addition to stderr)

Miscellaneous:
  -h, --help               display this help and exit
  -v, --version            display version info and exit
  -o <name>:<value> ...    override preference setting
  -K <keytab>              keytab file to use for kerberos decryption
  -G [report]              dump one of several available reports and exit
                           default report="fields"
                           use "-G help" for more help

D:\Program Files\Wireshark>



标签:TShark,--,list,初识,filter,NUM,file,output
From: https://blog.51cto.com/xingjia/7400631

相关文章

  • 响应式编程——初识 Flux 和 Mono
    byemanjusakafrom​https://www.emanjusaka.top/archives/4彼岸花开可奈何本文欢迎分享与聚合,全文转载请留下原文地址。前言Reactor是一个响应式编程的基础类库,其中有两个很关键的类:Flux和Mono。掌握这两个类和相关概念有助于我们学习响应式编程。Flux和Mono都是......
  • 初识网络爬虫基本原理
    首先精心选择一些URL,把这些精心选择的URL放入URL队列中,从对列中捉取代取的URL读取URL之后开始解析DNS,把这些URL下载下来放入网页库中。基本流程就是:发送请求-获取响应内容-解析内容-保存数据。从网络爬虫的角度可以把互联网分为五种1;已下载未过期网页2;已下载过期网页3;待下载网页4;可......
  • 初识seata-微服务集成seata
          ......
  • JAVA第一课——初识HTML
    第一章HTML1.1html的定义html是超文本标记语言,是一个基于HTTP(超文本传输协议)协议的网页语言1.2html的版本HTML4.01以及具备完善的网页编辑HTML5.0移动端网页编辑XHTML语法严格1.3浏览器保障兼容性:在各个浏览器上正常运行1网景Mosaic浏览器和微软IE2火狐Fi......
  • JS基础-初识JavaScript
    前面讲了前端开发必备的三种语言。其中的HTML、CSS我们基本上有了比较正确的认识。这里讲一下JavaScript。语言功能结构层HTML搭建结构、放置部件、描述定义样式层CSS美化页面、实现布局行为层JavaScript实现交互效果、数据收发、表单验证HTML构成了......
  • 计算机萌新的成长历程——初识C语言16
    大家好,很高兴又能跟各位朋友见面了,前面我们花了两篇内容来探讨操作符的相关内容,今天咱们要开始探讨新的内容了——常见关键字。对于常见关键字,我是这样理解的——C语言中自带的可以直接使用的字符,比如咱们的数据类型:int、char、short、long、longlong、float、double……又比如咱......
  • 开课吧前端1期.阶段1:初识ES6和ES6兼容性和新特性
    1、ECMAScript和JavaScript关系ECMA是标准,JS是实现  类似于HTML5是标准,IE10,Chrome谷歌,FireFox火狐都是实现换句话说,将来也可能有其他,XX某某Script来实现ECMA标准 ECMAScript简称ECMA或ES  目前也只有JavaScript实现,所以可以理解ECMAScript==JS目前版......
  • STL初识
    2STL初识2.1STL的诞生长久以来,软件界一直希望建立一种可重复利用的东西C++的面向对象和泛型编程思想,目的就是复用性的提升大多情况下,数据结构和算法都未能有一套标准,导致被迫从事大量重复工作为了建立数据结构和算法的一套标准,诞生了STL2.2STL基本概念STL(......
  • 初识MQ-异步通讯的优缺点
          ......
  • 初识MQ-同步通讯的优缺点
       ......